RIPA s 12(7)

Ian Batten igb at
Thu Jun 12 21:04:09 BST 2014

On 12 Jun 2014, at 18:39, Caspar Bowden (lists) <lists at> wrote:
> that looks broad enough to ask for the source code to any client-side Webmail encrypting widget. Quite useful.

It's also broad enough to get a server's private key if RSA was in use: if you've intercepted encrypted sessions, then
having the RSA private key allows you to extract the session keys.  There's a proportionality and collateral issue, but
of course the S.49 notice could be used to demand the CSP decrypt encrypted session keys and provided
by the agency, and therefore satisfy the needs of the investigator without releasing a long-term key.

However, I'm not sure whether the police would be overly interested in any of this, because even if the CSP coughs
all the keys, it's intercept and therefore not admissible.  They'll need other, non-intercept evidence to get the intercept
warrant, and they'll need other, non-intercept evidence to get a conviction.  Cases where the intercept evidence is
therefore hugely significant, to the point of it being worth messing around with production orders, are going to be 
thin on the ground.  And stuff which is admissible when decrypted, for example memory sticks seized under search
warrants or computers with "data at rest" ditto, is much less likely to have keys held by anyone other than the
putative owner.


More information about the ukcrypto mailing list